Board members are main targets in a cyber attack

ET Bureau|

Updated: May 04, 2017, 10.53 AM IST

0Comments

Paul Van Kessel, Global Cyber Security Leader at EY.

Organisations need to do more to understand the nature of their cyber risks to create a better strategy to protect themselves. A company's board members are typically the first-in-line in a targeted attack and need to be trained to assess the risks, Paul van Kessel, Global Cyber Security Leader at EY told Jochelle Mendonca in an interview. Edited excerpts:

What does a company's board need to understand to create a strategy to protect against threats? About 50% of my work is to I travel around the world; I am invited by companies to talk to the boardroom about this topic.And sometimes I don't even talk. I ust sit there and I ask, `Guys, do you know what your most important data is?' And they start thinking and then my next question is, `Do you know where that data is?' and the third question is, Do you know where the data is going?' And there is almost no board that knows a precise answer on those simple questions. If you cannot answer those questions, how can you start thinking about cyber-security?

How do board members educate themselves to be able to think about this? Let me give you an example, so a company has cyber-security awareness programme and the question in the boardroom is, `How many of our people already took the awareness training?' And the answer will be 80-90%.And then I ask the board members if they took the training. And they say, `Oh no! We haven't taken it yet.' But their inbox is the first inbox that is going to be targeted.A company can have 6,000 people but the first in line to be targeted are the people in the boardroom. In most of the hacks, the first step is a phishing email.So board members need to be trained to understand the threat and ask the right questions. And we do that for companies.

What kind of discussions happen in a boardroom about cyber-security? We are talking about cyber security in the boardroom. But cyber-security is the answer to the problem. The problem is the cyber risks and how much risk you want to take. In the boardroom, they talk about cybersecurity and do we have enough software and do we need to buy more software. Do we need more money? I always say in the boardroom, start with what the problem is. Do you know where your risks are? Do you where your gaps are? And focus your money on the biggest things.

What steps can companies take to guard against breaches? When you look at all the hacks that have happened in the past years and the root cause of those hacks, about 99% of the time, the vulnerability that was exploited was known about for a year. You can send out patches for known vulnerabilities but organisations are just sloppy with implementing patches. Organisations don't have their fundamentals in place.Look at ransomware. The best defence against ransomware is to have a back-up which is not connected to the system. Now, when we got the mainframe computers, we were already talking about back-ups. That was 40 years ago and we still don't have a good discipline around backups. We don't have a good discipline around patch management. I think organisations need to try harder and do more.